Hacker faces prison for cyberattacks on businesses, universities

Timothy Justen French had already been warned once by the FBI to stay away from computer hacking when he was caught in an online chat two years ago talking about his desire to hit higher-profile targets, including city traffic grids and government intelligence satellites, federal prosecutors say.

"My proposition (is) to 'hack' servers that actually matter," French wrote to a colleague in April 2014, according to a recent court filing.

French, who at the time was 19 and operating out of his grandmother's basement in rural Tennessee, seemed bored with the usual low-hanging fruit. He told his friend that as they were chatting, he was hacking into several servers at once, including one belonging to a university that he'd decided to attack "just for the (expletive) of it," according to the filing.

"I'd be so (expletive) if I got raided now," he said, according to the filing. "Hacking like five servers at once. Three United Nations-based . . . two universities."

On Tuesday, French faces sentencing at the Dirksen U.S. Courthouse in Chicago for his role in a notorious group of cybercriminals known as NullCrew, which prosecutors allege was responsible for a destructive hacking spree on dozens of businesses, nonprofits and government entities.

French, 22, who operated under the screen name "Orbit," pleaded guilty last December to one count of intentionally damaging protected computers belonging to a large telecommunications company in Canada — identified in several news reports as Bell Canada.

According to his plea declaration, French and other NullCrew hackers stole usernames and passwords of more than 12,000 of the company's customers using a server based in Naperville. French announced the hack in a tweet in February 2014, directing followers to a website where he had posted the sensitive information, according to the plea.

The NullCrew probe was one of several computer hacking cases charged recently in Chicago, where the FBI and U.S. attorney's office have beefed up their cybercrime units and made going after hackers a priority.

Earlier this month, federal authorities announced charges against two 19-year-old men who allegedly orchestrated attacks with the online monikers of Lizard Squad and PoodleCorp. Authorities alleged Zachary Buchta, of Fallston, Md., and Bradley Jan Willem van Rooy, of the Netherlands, shut down the web networks of gaming companies and engaged in so-called phone bombing schemes. Their loosely based crew also sold stolen payment card account information belonging to thousands of victims, prosecutors said.

In September, Edward Majerczyk, 29, of Chicago, pleaded guilty to his role in a hacking scandal dubbed Celebgate, which resulted in dozens of nude photos of celebrities being posted online, including those of actress Jennifer Lawrence, model Kate Upton and U.S. soccer star Hope Solo. Prosecutors have agreed to seek a nine-month prison term when he is sentenced in January.

Armando L. Sanchez / Chicago Tribune

Edward Majerczyk, right, leaves the Dirksen U.S. Courthouse in Chicago on Sept. 27, 2016, after pleading guilty to charges that he hacked into hundreds of email accounts.

Edward Majerczyk, right, leaves the Dirksen U.S. Courthouse in Chicago on Sept. 27, 2016, after pleading guilty to charges that he hacked into hundreds of email accounts.

(Armando L. Sanchez / Chicago Tribune)

But federal prosecutors say French deserves a far stiffer punishment because of his years hacking — the Morristown, Tenn., native began at just 14, they said — and the prominent role he played in high-profile cyberattacks. They are asking U.S. District Judge Gary Feinerman to send a message to other hackers by sentencing French to up to seven years in prison.

French could have changed course after the FBI raided his home in December 2011 as part of an investigation into a series of cyberattacks conducted by TeamPoison, another hacking group with which he was affiliated, according to prosecutors. Authorities searched French's home and confiscated his computer, but he was not charged.

"Rather than being led away in handcuffs, he was offered a second chance at leading a law-abiding life," Assistant U.S. Attorney William Ridgway wrote in a sentencing memo. "Despite being cut a break, and rather than heed the FBI's warning, the defendant upped the ante, proceeding on a far more destructive course and demonstrating a complete disregard for the law."

French's attorney, Candace Jackson, however, asked the judge for a sentence of no more than three years, saying in a recent court filing that the government was overstating his role in TeamPoison, which had caught the FBI's attention after a series of cyberattacks on the United Nations, NATO and NASA.

Jackson described French as a victim of his own immaturity, saying a psychiatrist who evaluated him in jail diagnosed him with attention deficit disorder as well as addictions to alcohol and marijuana. A longtime friend told authorities that French was compulsive and "had been trying to hack into something ever since he got a computer," according to Jackson's filing.

Since his arrest, French has begun to "embrace treatment" and now wants to use his computer skills for good purposes, Jackson said. While in custody at the Metropolitan Correctional Center, French drafted a memo laying out his thoughts "about how institutions can improve computer security," she said.

"His writings and actions demonstrate that (French) is motivated to correct the course he was on, and that he wants to develop his considerable talent for computers for good," Jackson said.

She also objected to the government's characterization of French as "ahead of his time," noting that the leader of TeamPoison, Junaid Hussain, began hacking at age 11 and went down a far more destructive path than French. By the time he was 20, Hussain had joined the Islamic State terrorist group and became a leader of its hacking and social media arm, Jackson said. He was killed by an American airstrike in Syria last year at age 21.

According to a criminal complaint filed against French, the teen quickly rose to become a well-known player in the hacking community after the raid on his home in 2011. Over the next several years, NullCrew was linked to attacks on universities in Virginia and Hawaii, the U.S. State Department, cable giant Comcast and the online search engine Spokeo, records show.

On April 20, 2014 — a date celebrated as a holiday by pot smokers around the world — French orchestrated the release of a massive amount of sensitive data stolen from several entities, including a university, video-game company and credit union, according to the prosecutors' filing.

To maximize the impact, French coordinated with a freelance journalist, prepared a press release and took to social media to taunt at least one of the victims, prosecutors said.

"I hope you like open source as much as we do," he tweeted to the university. "A hefty list of 1,000,000 files on your master server is about to be shared."

The tweet included a profane hashtag that became a signature of NullCrew: #F---TheSystem.